enhance authdata context interface to handle automatic verification of KDC issued auth data

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22665 dc483132-0cff-0310-8789-dd5450dbe970

7 files changed, 87 insertions, 10 deletions

diff --git a/src/configure.in b/src/configure.in
index 8aa1867..122d06a 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1098,6 +1098,7 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
 	plugins/preauth/wpse
 	plugins/authdata/greet
 	plugins/authdata/greet_client
+	plugins/authdata/greet_server
 
 	clients clients/klist clients/kinit clients/kvno
 	clients/kdestroy clients/kpasswd clients/ksu
diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h
index 59323e2..5695971 100644
--- a/src/include/kdb_ext.h
+++ b/src/include/kdb_ext.h
@@ -101,6 +101,7 @@ typedef struct _kdb_sign_auth_data_req {
     krb5_keyblock *server_key;		/* Key used to generate server signature */
     krb5_timestamp authtime;		/* Authtime of TGT */
     krb5_authdata **auth_data;		/* Authorization data from TGT */
+    krb5_keyblock *session_key;		/* Reply session key */
 } kdb_sign_auth_data_req;
 
 typedef struct _kdb_sign_auth_data_rep {
diff --git a/src/include/krb5/authdata_plugin.h b/src/include/krb5/authdata_plugin.h
index fd2acf9..6f0fdea 100644
--- a/src/include/krb5/authdata_plugin.h
+++ b/src/include/krb5/authdata_plugin.h
@@ -68,7 +68,7 @@ struct _krb5_db_entry_new;
  * functions.
  */
 /* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */
-typedef struct krb5plugin_authdata_ftable_v0 {
+typedef struct krb5plugin_authdata_server_ftable_v0 {
     /* Not-usually-visible name. */
     char *name;
 
@@ -107,9 +107,11 @@ typedef struct krb5plugin_authdata_ftable_v0 {
 				     krb5_data *req_pkt,
 				     krb5_kdc_req *request,
 				     krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v0;
+} krb5plugin_server_authdata_ftable_v0;
 
-typedef struct krb5plugin_authdata_ftable_v1 {
+typedef krb5plugin_server_authdata_ftable_v0 krb5plugin_authdata_ftable_v0;
+
+typedef struct krb5plugin_authdata_server_ftable_v1 {
     /* Not-usually-visible name. */
     char *name;
 
@@ -155,7 +157,9 @@ typedef struct krb5plugin_authdata_ftable_v1 {
 				     krb5_const_principal for_user_princ,
 				     krb5_enc_tkt_part *enc_tkt_request,
 				     krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v1;
+} krb5plugin_authdata_server_ftable_v1;
+
+typedef krb5plugin_authdata_server_ftable_v1 krb5plugin_authdata_ftable_v1;
 
 typedef krb5_error_code
 (*authdata_client_plugin_init_proc)(krb5_context context, void **plugin_context);
@@ -258,7 +262,9 @@ typedef krb5_error_code
 			       void *request_context,
 			       const krb5_auth_context *auth_context,
 			       const krb5_keyblock *key,
-			       const krb5_ap_req *req);
+			       const krb5_ap_req *req,
+			       krb5_boolean kdc_issued_flag,
+			       krb5_const_principal issuer);
 
 typedef struct krb5plugin_authdata_client_ftable_v0 {
     char *name;
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index 30b48e8..a232ffc 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -1687,8 +1687,11 @@ asn1_error_code asn1_decode_ad_kdcissued
     val->elements = NULL;
     {begin_structure();
     get_field(val->ad_checksum, 0, asn1_decode_checksum);
-    opt_field(val->i_principal, 1, asn1_decode_realm, 0);
-    opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+    if (tagnum == 1) {
+        alloc_principal(val->i_principal);
+        opt_field(val->i_principal, 1, asn1_decode_realm, 0);
+        opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+    }
     get_field(val->elements, 3, asn1_decode_authorization_data);
     end_structure();
     }
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index ffb9806..a267683 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -297,6 +297,40 @@ krb5_authdata_import_attributes(krb5_context kcontext,
     return code;
 }
 
+static krb5_error_code
+k5_get_kdc_issued_authdata(krb5_context kcontext,
+                           const krb5_ap_req *ap_req,
+                           krb5_principal *kdc_issuer,
+                           krb5_authdata ***kdc_issued_authdata)
+{
+    krb5_error_code code;
+    krb5_authdata **authdata;
+    krb5_authdata **ticket_authdata;
+
+    *kdc_issuer = NULL;
+    *kdc_issued_authdata = NULL;
+
+    ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
+
+    code = krb5int_find_authdata(kcontext,
+                                 ticket_authdata,
+                                 NULL,
+                                 KRB5_AUTHDATA_KDC_ISSUED,
+                                 &authdata);
+    if (code != 0)
+        return code;
+
+    code = krb5_verify_authdata_kdc_issued(kcontext,
+                                           ap_req->ticket->enc_part2->session,
+                                           authdata[0],
+                                           kdc_issuer,
+                                           kdc_issued_authdata);
+
+    krb5_free_authdata(kcontext, authdata);
+
+    return code;
+}
+
 krb5_error_code
 krb5int_authdata_verify(krb5_context kcontext,
                         krb5_authdata_context context,
@@ -309,13 +343,18 @@ krb5int_authdata_verify(krb5_context kcontext,
     krb5_error_code code = 0;
     krb5_authdata **authen_authdata;
     krb5_authdata **ticket_authdata;
+    krb5_principal kdc_issuer = NULL;
+    krb5_authdata **kdc_issued_authdata = NULL;
 
     authen_authdata = (*auth_context)->authentp->authorization_data;
     ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
+    k5_get_kdc_issued_authdata(kcontext, ap_req,
+                               &kdc_issuer, &kdc_issued_authdata);
 
     for (i = 0; i < context->n_modules; i++) {
         struct _krb5_authdata_context_module *module = &context->modules[i];
         krb5_authdata **authdata;
+        krb5_boolean kdc_issued_flag = FALSE;
 
         if ((module->flags & usage) == 0)
             continue;
@@ -328,7 +367,22 @@ krb5int_authdata_verify(krb5_context kcontext,
                                      authen_authdata,
                                      module->ad_type,
                                      &authdata);
-        if (code != 0 || authdata == NULL)
+        if (code != 0)
+            break;
+
+        if (authdata == NULL && kdc_issued_authdata != NULL) {
+            code = krb5int_find_authdata(kcontext,
+                                         kdc_issued_authdata,
+                                         NULL,
+                                         module->ad_type,
+                                         &authdata);
+            if (code != 0)
+                break;
+
+            kdc_issued_flag = TRUE;
+        }
+
+        if (authdata == NULL)
             continue;
 
         assert(authdata[0] != NULL);
@@ -343,7 +397,9 @@ krb5int_authdata_verify(krb5_context kcontext,
                                              *(module->request_context_pp),
                                              auth_context,
                                              key,
-                                             ap_req);
+                                             ap_req,
+                                             kdc_issued_flag,
+                                             kdc_issuer);
         }
         if (code != 0 && (module->flags & AD_INFORMATIONAL))
             code = 0;
@@ -352,6 +408,9 @@ krb5int_authdata_verify(krb5_context kcontext,
             break;
     }
 
+    krb5_free_principal(kcontext, kdc_issuer);
+    krb5_free_authdata(kcontext, kdc_issued_authdata);
+
     return code;
 }
 
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 7bb37b7..de3b3e8 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -1001,7 +1001,9 @@ mspac_verify(krb5_context context,
 	     void *request_context,
 	     const krb5_auth_context *auth_context,
 	     const krb5_keyblock *key,
-	     const krb5_ap_req *req)
+	     const krb5_ap_req *req,
+	     krb5_boolean kdc_issued_flag,
+	     krb5_const_principal issuer)
 {
     krb5_error_code code;
     struct mspac_context *pacctx = (struct mspac_context *)request_context;
@@ -1009,6 +1011,9 @@ mspac_verify(krb5_context context,
     if (pacctx->pac == NULL)
 	return EINVAL;
 
+    if (kdc_issued_flag)
+	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
     code = krb5_pac_verify(context,
 			   pacctx->pac,
 			   req->ticket->enc_part2->times.authtime,
diff --git a/src/tests/gssapi/t_namingexts.c b/src/tests/gssapi/t_namingexts.c
index 084c252..11b0d5f 100644
--- a/src/tests/gssapi/t_namingexts.c
+++ b/src/tests/gssapi/t_namingexts.c
@@ -386,9 +386,11 @@ int main(int argc, char *argv[])
 
         gss_release_name(&tmp, &tmp_name);
 
+#if 0
         major = testGreetAuthzData(&minor, name);
         if (GSS_ERROR(major))
             goto out;
+#endif
     } else {
         fprintf(stderr, "Usage: %s [principal] [keytab]\n", argv[0]);
         exit(1);